Microsoft Office 365: Consent Phishing Attacks
Customers of Office 365, a cloud-based suite of Microsoft products, have become the new targets of phishing emails. Fraudsters are using OAuth, also known as Open Authorization, to gain access to account information and execute these attacks. OAuth applications allow users to grant permission for other applications to access their data without the need to add their login credentials each time. A common example of OAuth is when you use Facebook to log in to another service, like Spotify, using your Facebook account credentials.
Using a type of Phishing attack called, Consent Phishing or OAuth Phishing, the perpetrator sends a fraudulent email containing a deceptive link to an Office 365 customer, hoping the customer clicks the link. Once the link has been clicked, a prompt appears to grant OAuth permission for Office 365 to a website controlled by the perpetrator. The perpetrator can then access emails, files, contacts, as well as SharePoint, and OneDrive storage spaces, giving them the ability to forward fraudulent emails from an Office 365 customer’s account to an account under their control, further laying the groundwork for future attacks. With this information, perpetrators can then use your account to attack any of your Office 365 contacts. Beyond attacking your contacts, if your email is used as 2factor authentication, the attacker can access external accounts, even changing the passwords to those accounts.
Prevention is key to avoid being the victim of a consent phishing attack. Office 365 customers can verify and monitor any user consent apps or services linked to their accounts by going to their account’s consent manager dashboard. If suspicious apps or services are identified on the dashboard, select “remove these permissions” on the page that opens. Remember never to click links, open attachments, or grant permissions to apps you do not trust or recognize. Doing so could save you from a cyberattack.
More information regarding these types of attacks may be find in the links below: